Sami Assiri fb6b34bcc0 docs(core-os): completion program index + decision plane contracts; link PR16 tier1 checklist; merge follow-up

Made-with: Cursor

2026-04-16 16:21:33 +03:00

Enterprise delivery fabric — WS6 checklist

Reference: governance/github-and-release.md.

Repository / org controls

Rulesets on main (and release branches): no direct push, required reviews, required status checks.
CODEOWNERS for critical paths (backend/app/api, auth, payments, agents).
Merge queue (when CI stable).
Conversation resolution required before merge (policy).

GitHub Environments: dev, staging, canary, prod with protection rules.
Required reviewers / wait timers where GitHub Enterprise allows (document limits for private repos per org tier).
“Deployments must succeed” gate where applicable.

OIDC federation to cloud roles for deploy workflows (no long-lived cloud secrets in repo).
Artifact attestations / provenance where supply-chain risk warrants.

Enterprise audit log retention limits; Git events short retention — plan SIEM / warehouse streaming for audit-grade customers (link runbooks when added).

Store screenshots or org policy links (internal) as evidence for enterprise questionnaires; do not commit secrets.